The Securities and Exchange Commission (SEC) was faced with the issue of how public companies should disclose their cybersecurity risks and incidents to investors, particularly in light of the recent cybersecurity breaches over the past few years. Just last year, the Equifax cybersecurity breach impacted 143 million Americans, causing the company’s stock to dive, losing up to $5.3 million. The SEC sets out maintain a fair and efficient market; so what is the threshold of disclosure which public companies must make to protect the interests of investors?
Public companies, in fear of a cybersecurity threat, have protected private and consumer information by investing in new technology and services to help detect cyberattacks early on. The industry of cybersecurity is rapidly booming and collectively on average will cost domestic U.S. businesses about $6 trillion per year.[1] As the financial industry and business continue to integrate greater use of technology, companies have made it their priority to prevent cyberattacks in order to preserve company and consumer information as well as their reputation and stock price. As more public companies take steps to protect themselves from cybercrime, what information, if any, must they disclose to investors and other market participants?
In 2011, the SEC Division of Corporation Finance issued a guidance report regarding the methods public companies should take to disclose any associated cyber risks and their impact. The report stated that “material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures”.[2] The report explains that the information required for disclosure is based on different factors, most notably, “prior cyber incidents and the severity and frequency of those incidents.”[3] However, the 2011 disclosure guidance failed to be effective in practice. Despite the significant increase in cyber threats and recent breaches impacting large U.S. companies, public companies’ practices in disclosing these threats to investors has not improved. The issue is that the guidances are mere suggestions for public companies . Although certain disclosures may be required in conjunction with other reporting obligations, companies are not obliged to report cybersecurity risks alone.
In late February 2018, the SEC issued another guidance report regarding cybersecurity disclosures. “The guidance reminds companies that they should consider cybersecurity risks and incidents … [and] the importance of maintaining comprehensive policies and procedures.”[4] However, the problem is that the Commission’s power “is confined in what it can do in the context of guidance, without engaging in a formal rulemaking.”[5] This has led to insignificant changes from the 2011 to 2018 guidance. Commissioner Kara M. Stein notes that the new 2018 guidance on disclosures does not effectively address the significant impact cybersecurity has had on companies since 2011 – the reason being the SEC’s limitations on regulating the area. Acknowledging the importance of disclosure to protect the integrity of the market is a vital step. Public companies should take into consideration the SEC’s guidance in order to proactively prevent incidents such as the Equifax breach. The SEC acts to maintain a fair and efficient market, but the market players need to ensure they abide by and implement even informal policies in order to get ahead.
[1] SEC. (Feb. 21, 2018) “Statement on Commission Statement and Guidance on Pubic Company Cybersecurity Disclosures.” Available at: https://www.sec.gov/news/public-statement/statement-stein-2018-02-21. Accessed on March 2, 2018.
[2] SEC Division of Corporation Finance. (Oct. 13, 2011) “CF Disclosure Guidance: Topic No. 2.” SEC. Available at: https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm. Accessed on March 2, 2018.
[3] Ib.
[4] Op. Cit. n1.
[5] Ib.